LabMinutes# SEC0035 - Cisco ISE 1.1 Device Admin RADIUS Authentication

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to lab news calm in this video we will look at how we can configure cisco eyes to support device admin and dedication if you're familiar with cisco acs you know the protocol commonly used for this is tax but since eyes does not support tax at this point we are stuck with using radius which means that we will be missing certain feature like per command authorization all the room it has that that tax is coming in ice version too so let's keep our fingers crossed for that now let's take a look at our lab setup so in the lab we have a switch one that we'll be using a self-test locking device and we'll have three locking accounts two of them recite in active directory called a pin 1 and employee 1 the third account we'll be creating that local to ice we are going to begin our configuration on the switch so we here going to create a local user account so in case the switch lose connectivity to the radio server it's to have a count to fall back to call it admin with the password cisco now you also want to make sure we have an able password configure as well so enable password cost cisco as well now we are going to enable triple-a with the command triple a new model and then enable triple any authentication with two authentication type lock in with a default group of radius and then falling back to local ok now we're going to have to tell the switch bought radio servers to use so we can figure wait a server hose with the IP 1 17 16 32 1 0 2 which is the IP of our i server and the radius key of Cisco we also want to shorten the radius time out so we do not have to wait for too long if ice becomes unreachable and switch needs to fall back we also want to source our radius traffic from a lead back interface and that should be all of the configuration you need for now on the switch as far as to accomplish this simple authentication next we're going to turn our attention to the eye server but actually before we do that let me show you the to user accounts that we have created previously on the Active Directory one is called admin one and one is call employee one okay now once you lock into eyes we're going to add the switch as a network device or eyes recognizes which when it receives the authentication request but when when you deal with a network device you also have an option to create network device groups and usually network device group comes into play when you perform authorization so for example you might want a different user to have different level of access on the certain device that belongs to a device groups and you can group them in pretty much any way you like by default eyes comes with two device group ones call all device types and ones call all locations the name pretty much speaks for itself so for the device type is basically any device type and you can create a subgroups for us we have a type switch so we're going to create a group switch just to show you as an example and if you happens to have for example different locations in your network where there is buting's or campuses a remote location you can also do that if you if you're if it's desirable for you to grant a different network access based on location but for us we're just going to leave it at all locations default next we go into Network Devices and to add the switch has a network advising click Add to give it a name house which is called as to be one if you want to give a description for example you can set course which for example with IP address we specifically tells us wish to use a loopback address to source the radius packets so the IP if I'll lead back you so 172 dot 16 down 0.1 you have an option to specify the model name and software version of the device if you would like to provide a little bit more information again this is only for informational purposes you don't really use it for earth indication actually you do it's part of the policies next for the device groups for location we're going to leave it I don't know all locations since we didn't really create any subgroups but for the device type we can choose switch next for the authentication setting this is where you specify your radius key so for us we use Cisco and you can click on show to look at the clear text version of the key you also can configure SNMP settings but usually that's you only need that what you do dealing with profiling because ice is capable of acquiring the device through SNMP to obtain additional informations to complete the profiling process but since we're not dealing with profiling in this video we're just going to go ahead and skip that step here we click Submit okay now this which has been added next we're going to create a local user account so where you go is identity management and then identities so under user since we got to create a user account and not the endpoints account so go add give it a name called local one and there's a few attributes that you can enter and these attributes are pretty much customizable so if they're additional attributes you would like to give to your local account now user account then you can create additional ones that's just on a separate page but for here we're gonna leave email blank password we will use Cisco one two three to meet the password complexity with Cisco one two three first name and last name everything else we're just going to leave it black blank so submit here's our local account now that we have all those configured we're going to start configuring our policy up indication policies okay so here's the authentication policy page so when it comes to configuring the policies on ice is pretty much very similar to ACS version five where it's a tape table full of rules and then each rule gets evaluated from top to bottom so you want to make sure that most of time the more specific rule is put on top and a more generic one is at the bottom so rule gets matched properly so by default cisco provided two with indication rules one is called map for the mac address bypass and ones for call 1x you can go ahead and modify those rules if you want to use them but I personally like to keep those that's the template for a future reference of what you can do is to basically disable them and later on if you want to for example create a rule for a map or dot 1x you can just duplicate them okay so when you construct a rule for it's not just the dedication policy but pretty much all the policies on ice is based on the concept of condition and result again very similar to what's on a cs5 so condition is basically a series of attribute that you need to specify so eyes can use them and match it with the authentication requests that it receives from the user and based on a successful match guys can look at the result and grant the network access accordingly as I mentioned earlier when you construct a rule for your policy you'll try you wants to try to be as specific as you can by specifying certain conditions but the question is how do you know what conditions to use well one option is to obviously world right here so just duplicate the rules that's provided already by Cisco the default rules or you can as a second option which is what we are gonna do in this lab is to first come up with a more generic rule so we'll match your authentication and we can then trying to look into the request itself and identify what kind of attributes we can use to construct our condition so here we we're going to go ahead and use the default rule as our generic rule for the allow protocol we're going to leave that default for now since we don't really know what protocol will actually be used that's actually authentication method that will be used and for the identity source since we plan to use both ad and local by default it's been set to enter the user which is local database in the previous video on a deep integration we have already created an identity source sequence call ad local so let me select that for now and go ahead and save and I'm going to jump to the identity source sequence page to show you what it looks like in case you missed on the on the video ok so now that's saved let me go ahead and go and under identity source sequences and here under LM ad local so see a dinosaur sequence is just basically a list of I needed sources that you're allowing eyes to look through when it's trying to find a user in the authentication request so here with ad local we have a list of ad 1 as the first priority and then the internal user as second options so it's very straightforward now that we have authentication policies set up here we have to look into authorization which is normally follows up the indication and again ice comes with the default authorization rules that we are going to go ahead and disable and the default was already permitting access so there's not really a need for us to change that so safe okay now that we have both medication authorization rules in place we're gonna go ahead and do some tests we can naturally watch the authentication results as is because it comes in two eyes by going to operations and then authentication and here this is the table that will be populated as the request comes in and it will show you exactly what's the resolve each request you can set up a refresh a refresh rate on the page as low as three seconds so it will keep refreshing for three seconds so let's go ahead and do that and now we're going to switch back to our switch and do a quick up indication so we're going to turn that to the switch loot bag address and use our ad account admin one if the password Cisco you can see you get dropped into the switch prompt let's go ahead and go all the way to enable mode and do who see here we are logged in as admin one and if you go back to ice on the life of dedication page you can see here is a successful authentication lock entry okay so let's exhale let's try our local account that we created on ice which is local one just to prove that the identity source sequence is working properly so local one is on ice and I just did the password Cisco which is incorrect because with the password for local wine and Cisco one two three so you guys can see the failed communication so that's actually do you local one and then Cisco one two three okay with the correct password again we are we now have accessed on the switch going back to live with dedication page here is the fail with indication with the Red Cross and let's stop that refresh for a second so you just keep bumping me back to the beginning of the page right here with the failure reason if you hover your cursor on it you will see it say the wrong password invalid share secret so it's that's pretty obvious as far as wide fail the authentication and here this is this entry is the result of a successful with indication okay now let's look into a little more detail of each successful indication here this is very useful as far as the tribal shooting and looking at what's going on within the authenticate each authentication so let's wait for that page to load up you as you work with us more and more you will find yourself keep coming back to this page and this is probably one of the most useful page for your travel with shooting purposes so going from top to bottom so your ad status is the dedication succeeded with username admin 1 and that's the IP of the device that we're trying to access allow protocol it matched a default network access which we never change and then a datastore it's telling you it was using Active Directory also the authorization profile was the default that's permitted access and the identification protocol is coming in as PAP which is clear text type of authentication so we can certainly use that for our authentication condition so let's let's make a quick note on that okay so we got alum ice one username admin let's see anything else is our interest here Nash port type virtual so that basically we can use that to represent the characteristic of this particular type of authentication so again Meghan done quick note on that so you can see the ice is giving you a whole lot information in this particular page right here if you scroll down further and actually steps steps you through the radius authentication progress as far as the what rule got matched so here at match default rule as we set up the default rule to as a generic rule the Danny stores that selected the actual authenticating against ad succeeded and then authorization policies so all right now that we know exactly how to come up with the condition let's go back to our authentication policies before we do that let me show you the policy elements actually authentication right here the allowed protocol default is allowing all the protocols let's say we want to lock that down just to the PAP like we saw in the dedication detail so the way to do that is to come up with results policy element results and we're dealing with indication here so allow protocols and that's the default network access to show you the D by default we are actually allowing a whole lot of protocol here in addition to pap you've got ETLs you got P got you fast okay so what we want do is to create a new allow protocol that's only allow PAP so we're gonna call it tell them just for a pap and the scroll only and we're going to uncheck pretty much everything except pad okay so submit now we can go ahead and create a more specific entry of authentication policy right here you have an option to insert a brand new empty role on duplicate since we're not dealing with map we're just going to insert a new rule above and we want to call it tell them device admin right here for condition you have an option to select a condition from a library that means you have previously configured a authentication condition as a an element but since we didn't do that we're just going to do it on the fly by doing advanced option here and before we before we saw that there's a radius attribute that will characterize this particular type of radius authentication request and that's attribute is called radius Nass port type let's see if we can find that rainiest a sport type here they want to be equal virtual okay so just to jump back to the authentication detail page right here in a sport type virtual all right so now that we have that allow protocol we have already created an element policy element results call LM pap only okay if you expand that you have more options to create additional conditions and some of the conditions that available down here might not be available up here so for us another condition that we want to configure it is authentication protocol PAP ASCII okay so we want it to match PAP specifically and again we want to do it on the fly here so the advanced option and that's under network access authentication method and here we matching pad masky just to show you that particular option or condition is not really available up here so let's say ab attribute value although it has network access just like down below it doesn't have an option for authentication method so we cannot do that in the top level we have to kind of doing down below there so let's go ahead and delete that okay now that we have that in place and we want to point how database to the ad local sequence just like before and now that we have a more specific identification rule there's not really a need for us to use a default rule anymore and this practice make it a deny so deny access but anything it doesn't match our rules that we specifically configure should be automatically deny so let's go ahead and save you you okay now that we have that in place we can go back to our switch and do another test in account admin one let's just go successfully antenna kated let's try our second account which is employee one Cisco lock-in no problem and let's try out third account which is local one let's just go one two three and that's all so that that's it let us in as well okay now go back to the authentication detail page so Operation authentication sometimes it helps just to create make it a new tab so you don't have to jump back and forth here so with live authentication right here it's a last Freeza last three recent authentication success and now let's see what's the different let's go under admin one more time okay same thing I think you can succeed it but this time for the about protocol instead of the default one we have the Allen PAP only that we can figure out the rest of the ization profile we never change anything keep going down and right here aloud protocol selection match rule so this is the rule that we can figure specifically for device admin as indication if you switch back the page right here pal them device admin so it's telling you which rule it's getting matching is matching the one that mean that we want okay so the the two conditions that we configure on the rule it's working now let's take a quick look at the successful lock in law for the locker account everything is pretty much almost identical except the identity stores which has now become internal user and standoff 81 you can see everything is pretty much the same I didn't a store internal user okay so as you can see constructing a authentication policy rule is fairly straightforward that the tricky part is to know exactly what conditions you need to match a particular type of radius authentication and then make sure if you have multiple rules they are put in the proper order and the one is more specific should be on top and get matched first and you can always go back and use two default rules as your template if it happens to feature authentication type okay that's it that pretty much wraps up our video on device admin authentication using Cisco ice thank you for watching lab - comm I'll see you guys in the next video
Info
Channel: Lab Minutes
Views: 37,320
Rating: undefined out of 5
Keywords: ise, aaa, radius, pap
Id: 0fc0hi1M1lY
Channel Id: undefined
Length: 25min 13sec (1513 seconds)
Published: Fri Jan 25 2013
Related Videos
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.6M
LabMinutes# SEC0033 - Cisco ISE 1.1 Active Directory (AD) Integration and Identity Source Sequence
Lab Minutes
29K
Part 1: Radius Server for WiFi Authentication with Windows Server 2016
TekNex Solutions
130K
4. ISE 2 3: Device Administration (TACACS+)
Jason Maynard
54K
Cisco Wireless LAN Controller 5508 Configuration Lap
TECH NOTES
13K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
Panorama Access-Domain And Integration With Cisco ISE RADIUS Server
Palo Alto Networks LIVEcommunity
4K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Cisco ISE : Installing External CA Signed Certificate | STEP BY STEP
Doctor Networks
3.2K
Wireless Radius Authentication with Windows Server 2016
Robert McMillen
91K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.